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Abstract 

Functional Reactive Programming (FRP) is a model of reactive sys- 
tems in which signals are time-dependent values, and signal func- 
tions are functions between signals. Signal functions are required 
to be causal, in that output behaviour at time t is only allowed to 
depend on input behaviour up to time t. In order to enforce causal- 
ity, many FRP libraries are arrowized, in that they provide combi- 
nators for building signal functions, rather than allowing users to 
write functions directly. In this paper, we provide a definition of 
deep causality (which coincides with the usual definition on sig- 
nals of base type, but differs on nested signals). We show that FRP 
types can be interpreted in System F w extended with a kind of 
time, and show that in this interpretation, a "theorems for free" 
argument shows that parametric functions are deep causal. Since 
all System F w functions are parametric, this implies that all imple- 
mentable functions are deep causal. This model is the formal basis 
of the agda-frp-js FRP library for the dependently typed program- 
ming language Agda, which compiles to JavaScript and executes in 
the browser. Assuming parametricity of Agda, this allows reactive 
programs to be written as regular functions over signals, without 
sacrificing causality. All results in this paper have been mechani- 
cally verified in Agda. 



1. Introduction 

Many classes of programs are reactive: they run for a long period of 
time during which they interact with their environment. Examples 
of reactive programs include control systems, servers, and any 
program with a graphical user interface. 

Many reactive programs are implemented using an event-driven 
model, in which stateful components send and receive events which 
update their state, and may cause side-effects such as network traf- 
fic or screen updates. A popular example of event-driven program- 
ming is the Document Object Model (DOM) [26] event model, with 
bindings to ECMAScript [11] and executed in a browser context. 
The event-driven model forms the basis of Actors [17], and the 
Model View Controller architecture of Smalltalk [7]. 

The event-driven model has a number of challenging features, 
including: 
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• Concurrency, reactive programs often have concurrent features 
such as dealing with multiple simultaneous events. This either 
leads to multithreaded languages such as Java, with complex 
concurrency models [6, Ch. 17], or single-threaded languages 
such as ECMAScript [11] which do not naturally support mul- 
ticore execution, and rely on cooperative multitasking. 

• Imperative programming: components are stateful, and may re- 
spond to events by updating their internal state. These hidden 
side-effects can result in complex implicit component interde- 
pendencies. 

• Referential opacity: since components support mutable state, 
component identity is important. The semantics for components 
is not referentially transparent, since creating a component and 
copying it is not equivalent to creating multiple components. 

• Callbacks: the idiom for programming in an event-driven model 
is registering callbacks rather than blocking function calls. For 
example, in ECMAScript an HTTP request is not a blocking 
method call, but instead a non-blocking call which registers a 
callback to handle the result of the HTTP request. This essen- 
tially requires the programmer to convert their program to Con- 
tinuation Passing Style (CPS) [32]. Manual CPS transformation 
can be error-prone, for example, calling the wrong continua- 
tion, or mistakenly calling a continuation twice. In the absence 
of call/cc, CPS transformation is a whole-program translation, 
so can require a large codebase to be rewritten. 

Functional Reactive Programming allows reactive programs to be 
written in a pure functional style. Originally developed by Elliot 
and Hudak [14] as part of the Fran functional animation system, 
there are now a number of implementations, including Flapjax [28], 
Frappe [9], Froc [10], FrTime [8], Grapefruit [23], Reactive [12], 
Reactive-Banana [2], and Yampa [41], 

Comparing FRP with the event-driven model, we have: 

• Pure functional model: there are no implicit interactions caused 
by shared mutable state, and a simple concurrency model. 

• Referentially transparent: signals can be copied without alter- 
ing their semantics. 

• Direct: FRP programs are given in direct style rather than CPS. 

Comparing FRP with synchronous dataflow languages such as Es- 
terel [5], some key distinctions are: 

• Fine-grained time: FRP often models time as a continuous 
domain (such as R) or using a much finer unit of time than the 
sample frequency of a synchronous language (such as 1ms). 

• Higher-order signals: FRP allows signals of signals, which 
model dynamically reconfigurable dataflow networks. 
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• Embedded DSL: FRP is typically implemented as an embedded 
DSL library in a functional host language (often Haskell, but 
also Agda [19], ECMAScript [28], Java [9], OCaml [10], or 
Scheme [8]). 

The semantics of an FRP program are defined in terms of signals, 
whose semantics are given as time-indexed values 1 : 

Signal A ~ Time — > A 

For example, the current state of the mouse button could be mod- 
eled by a mouseButton signal: 

mo use Button Signal (MouseButtonState) 



mouseButton 



mouseClick 



t i — ^ 



down if t e [2,5) 
up otherwise 

which gives rise to an event signal of mouse clicks: 

mouseClick : Signal (Maybe (MouseEvent)) 

just clicked if t = 5 
nothing otherwise 



t i — y 



Functional reactive programs are defined using combinators which 
build functions over signals. There are two approaches to defining 
this combinator library: 

• Classic FRP: in classic FRP, combinators are defined as func- 
tions over signals, for example: 

map : (A — > B) — > Signal A — > Signal B 
map fa « t^f{a{t)) 

Examples of classic FRP systems include Fran [14], Grape- 
fruit [23], Reactive [12] and Reactive-Banana [2]. 

• Arrowized FRP: in arrowized FRP, there is no explicit Signal 
type; instead there is an SF A B type for signal functions from 
A to B, whose semantics is given as functions over signals: 

SF AB C Signal A ^ Signal B 

The SF type is required to form an arrow [18] with loops [31], 
for example the equivalent of map is: 

arr : (A^ B)^SFAB 
arr/ « a i-> t i-> f(a(t)) 

The arrow combinators support a point-free style of program- 
ming based on the structure of a traced Freyd category [35] (that 
is, a premonoidal category [34] with a cartesian centre and a 
premonoidal trace [4]). The reference implementation of arrow- 
ized FRP is Yampa [41]. 

Note that classic FRP can be seen as an instance of arrowized FRP, 
the difference is whether the equation for SF is an inclusion (up to 
isomorphism): 

SF AB C Signal A Signal B 

or an equivalence (where the inclusion is on-the-nose definitional 
identity) 

SFAB = Signal A — > Signal B 
There are (at least) two reasons for introducing arrowized FRP: 

• Semantics: Elliott [13] argues that "one source of discomfort 
[with classic FRP] is that this model is mostly junk" and "this 
model allows responding to future input, violating a principle 
sometimes called causality, which is that outputs may depend 



1 Note the use of as in the semantics of Signal, since we are only defining 
the type of signals up to isomorphism. As we shall see later, the definition 
of Signal A is more complex, but it is isomorphic to Time — > A. 



on the past or present but not the future." Arrowized FRP allows 
for a model of SF which only includes causal functions. 

• Pragmatics: Nilsson, Courtney and Peterson [30] say "In order 
to ensure an efficient implementation (one that is free of time 
and space leaks), signals (time- varying values) are not first class 
entities in AFRP, unlike the signal functions operating on them. 
This is one of the most substantial design differences between 
AFRP and earlier versions of FRP, for example Fran." 

There is, however, a cost associated with arrowized FRP which is 
that signal functions are no longer expressed as host-language func- 
tions, and instead must be programmed using the point-free combi- 
nators. Programming directly in the point- free style can be cumber- 
some due to explicit wiring combinators; to mitigate this, Haskell 
provides a DSL for dataflow programming which compiles down 
to the arrow combinators. Even with this DSL, the programmer is 
faced with the complexity of a two-layer language whose semantics 
is a traced Freyd category. 

In this paper we address the semantic challenge of giving a junk- 
free treatment of classic FRP. (For a discussion of the pragmatics 
of avoiding time leaks in classic FRP, see [23].) We show that given 
an appropriate definition of Signal, all implementable functions are 
causal. To sketch our approach, we first consider the definition of 
causality from [30]: 

The output of a signal function at time t is uniquely deter- 
mined by the input signal on the interval [0, t]. 

Rephrasing this slightly, we get: 

The output of a non-interfering function at security level I 
is uniquely determined by the input on the interval [_L, £]. 

This is the standard definition of non-interference as an informa- 
tion flow security property [16]. Seen in this light, we can think of 
causality as a security policy: the future is confidential. This sug- 
gests that techniques which have been used to enforce information 
flow may also work to enforce causality. In this paper, we are in- 
spired by the work of Pierce and Sumii [39], who use relational 
parametricity to establish non-interference properties. 

Relational parametricity was introduced by Reynolds [36], to 
support reasoning about parametric polymorphism. Wadler [40] 
showed that parametricity gives "theorems for free", for example, 
map distributes through concatenation, just from its type. In this pa- 
per, we show how relational parametricity can be used to establish 
causality. 

Investigating the relationship between parametricity and causal- 
ity highlights some features of its definition which are not com- 
pletely obvious. First, consider the canonical "predict the future" 
function: 

4> : Signal A —¥ Signal A 

4>a w t a(t + 1) 

This function is non-causal, since its output at time t depends on it 
input at time t + 1. Making this more precise, define a = u r on 
signals to mean "equal up to time u": 

a = u t whenever a(t) = r(i) for any t < u 

from which we define / to be causal whenever: 

/(<?) =u f(r) for any a = u r 

It is clear that <f> violates causality, since (if we take Time to be N, 
and write signals using list notation): 

[0,1,2,...] = 0 [0,0,0,...] 
<£ [0,1,2,...] = [1,2,3,...] [0,0,0,...] =0[O, 0,0,...] 
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Things become less clear when we consider higher-order signals, 
for example: 

7) : A -> Signal A 

r/x « t i — ^ re 

The signal r)(x) is just a constant signal with value x, and looks 
like it should be unproblematic. Unfortunately, if we take A to be a 
signal type, then we have: 

[0,1,2,...] = 0 [0,0,0,...] 

r, [0,1,2,...] A, ii [0,0,0,...] 

where the inequality follows from: 

r) [0, 1,2,...] 0= [0,1,2,...] + [0,0,0,...] =r) [0,0,0,... ]0 

That is, according to this definition, r) is not causal. This is an 
example of a function which is surprisingly non-causal, but there 
are also functions that are surprisingly causal. Consider: 

ip : Signal (Signal ^4) — > Signal A 

This is just a variant of the "predicting the future example", but is 
in fact causal. If we try to replay the argument which showed <j) to 
be non-causal, we have: 

[[0,1,2,...],...]0 

= [0,1,2,...] 

+ [0,0,0,...] 

= [[0,0,0,...],...]0 

and so: 

[[0,1,2,...],...] A, [[0,0,0,...],...] 

which means there is no violation of causality from: 

#0,1,2,...],...] = [1,...] A, [0,...] =#0,0,0,...],...] 

These examples demonstrate both unexpected non-causality (rf) 
and unexpected causality (tp). In both cases, the root cause is the 
same. In the definition of = u : 

a = u r whenever a(t) = r(t) for any t < u 

we used = as the equivalence at time t, that is this definition is a 
shallow definition of causality. An alternative definition would be 
to ask for deep causality, where (at signal type): 

a = u t whenever a(t) = u r(t) for any t < u 

Note that cf> is still non-causal using this definition, but that rj is 
deep causal, and tp is deep non-causal. Deep causality requires = u 
to be defined for non-signal types, for example on base types: 

a — u b whenever a — b 

and function types: 

/ =u 9 whenever f(a) = u g(b) for any a = u b 

Readers familiar with logical relations will note that this is pre- 
cisely the definition of a (non-step-indexed) logical relation. This 
is the heart of our result: every parametric function is deep causal. 

The distinction between shallow and deep causality impacts an 
implementation as well as its semantics. A system which mod- 
els shallow causality is one in which signal boundaries introduce 
changes of clocks. For example, a shallow causal function of type 
Signal (Signal A) — > Signal A is allowed to read a signal from its 
input, and run that signal in a simulated time domain to predict its 
future behaviour. In contrast, a system which models deep causality 
is one in which the same clock is shared by all signals. This paper 
describes the formal model of agda-frp-js [19], which uses ECMA- 
Script's time model throughout, and so implements deep causality. 



Another approach to ensuring causality is advocated by Krish- 
naswami and Benton [25]. Their approach gives semantics in ultra- 
metric spaces, in particular the function space A— >B is the space of 
nonexpansive maps, which are causal by definition. Our approach 
is different: A — > B is interpreted as plain old set-theoretic func- 
tions, and we rely on an appropriate coding of signals to achieve 
causality by way of parametricity. 

The remainder of the paper supplies the technical details for this 
result. The paper is structured as follows: 

• Section 2 gives a recap of our prior work [21] showing that 
FRP programs can be regarded as proof objects in a constructive 
variant of LTL [33]. 

• Section 3 gives a recap of Girard's System F w , including its 
parametricity theorem. 

• Section 4 begins the new material with a presentation of Sys- 
tem FRP U , which extends System F w with a kind of time, a 
type for the order on time, and proof objects capturing that time 
forms a total order. We show that many of the combinators of 
FRP can be coded in System FRP U . System FRP U also satis- 
fies parametricity. 

• Section 5 provides the definitions of signals for System FRP^ . 

• Section 6 contains the formal statement of deep causality, to- 
gether with the result that all parametric functions are causal. 
Since all System FRP^ functions are parametric, this implies 
that any FRP program implemented in System FRP^ is causal. 

• Section 7 has a discussion of the implementation of this work 
in Agda, which includes a compiler to ECMAScript, and mech- 
anized proofs of the results in this paper. 

This is the first result showing that a programming language can 
support FRP programs with signals as first-class citizens, with- 
out sacrificing causality, while still interpreting functions set- 
theoretically. 

2. Recap of LTL as a type system for FRP 

In previous work [21] we showed that FRP programs in a depen- 
dency typed programming language can be given types in a con- 
structive variant of Linear-time Temporal Logic (LTL) [33], such 
that any well-typed FRP program is a proof of an LTL tautology. 
The correspondence between FRP programs and LTL proofs was 
discovered independently by Jeltsch [24]. The use of LTL to model 
properties of FRP programs was also investigated by Sculthorpe 
and Nilsson [38], 

The motivation for considering a constructive LTL as a type 
system for FRP is that the type Signal A models signals whose 
value can change over time, but whose type cannot (the value must 
always have type A). For example, there is no way to model a signal 
whose value is a timestamp at some point in the past: an attempt to 
do so would be Signal (Past), but Past is not a type, it is a time- 
indexed type: 

Past (t) = { s I s < t } 

Since types can be thought of as propositions, time-indexed types 
can be thought of as propositions parametrized over time, that is 
temporal propositions. This leads us to consider reactive sets: 

RSet = Time Set 

for example: 

Past : RSet 

Jeltsch [23] proposed using signals indexed by era parameters, to 
avoid time leaks. The type SSignal A (s) is the type of signals with 
start time s, inhabited by signals a where a(t) has type A for any 
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time t > s. In terms of reactive sets: 

SSignal : Set -» RSet 
SSignal A (s) = Y[A 

t>s 

If there is a minimal time 0, then signals with era parameters 
generalize signals, since: 

Signal A = SSignal A (0) 

Given a set A, we can consider the constant reactive set (A). In 
temporal logic terms, (^4) lifts a non-temporal proposition A to a 
temporal proposition: 

(■) : Set -> RSet 

(A)(t) = A 

In the other direction, given a reactive set A, we can consider the set 
[A], which is inhabited by signals a such that o(t) has type A(t). 
In temporal logic terms, a proof of [A] represents a proof that A is 
a tautology, that is A(t) is provable at all times t. 

[•] : RSet -> Set 

[A] = J]A(t) 

t 

Given reactive sets A and B, we can form the pointwise function 
space A => B. In temporal logic terms, a proof of A => B at time 
£ is a proof that A at time t implies B at time t, which is the usual 
treatment of implication in LTL: 

(■ => ■) : RSet -> RSet -> RSet 

(A=^B)(t) = A(t)-*.B(t) 

Given reactive set A, we can form the modal type nA, which is 
inhabited at time t by signals a such that <j(u) has type A(u) for 
any u > t. In temporal logic terms, is the "globally true" 
modality for the future: 

□ : RSet -> RSet 

This modality generalizes the signal type, since: 

SSignal A = n{A) 

In [21], we investigated a semantics for arrowized FRP, based on 
the constrains modality of LTL [27, 29]. This modality A > B is 
inhabited at time i by functions / such that f(a) has type B(it) 
whenever a is a signal for A in the interval [t,u]. In temporal 
logic terms, this is a dual of "until" (since classically A > B is 
U -iB)) and is used to model rely/guarantee properties: 

(•>•) : RSet -> RSet -> RSet 

(A>B)(t) = []A[i,ti]4B(n) 

where: 

•[•,•] : RSet — > Time — > Time — > Set 

am = n aw 

s<t<u 

The reactive set A > B can be thought of as a type for history- 
dependent functions which, with start time t, can produce an output 
of type B(u) at time u > t, given an input history of type A[t, u]: 

A 
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Note that functions of this type are causal by definition. In [21], we 
constructed a model for arrowized FRP based on functions of type 
A > B. In this paper, we show how to construct a model of classic 
FRP without sacrificing causality. 

3. Recap of System F w 

In this section, we introduce a kernel polymorphic functional pro- 
gramming language. We expect that the results would hold in a 
dependent setting (such as Agda) but we do not need the full power 
of dependent types, so we will start from Girard's System F u [15], 
a polymorphic language with higher-order kinds. 

We recall the definition of System F w , including its syntax, type 
system, and denotational semantics. We also recall the definition 
of logical relations for System F u , and restate parametricity for 
System F u . In Section 4 we will extend System F u with a notion 
of time, which is a kernel of Haskell suitable for defining FRP. All 
results in this section have been formalized in Agda [20]. 

The syntax of System F u is presented in Figure 1, where: 

• t and u range over type variables, 

• x, y and z range over variables, 

• K and L range over kinds, such as (set — ¥ set) — > set, 

• E ranges over signatures of the form ti : K\, . . . ,t m '■ K m , 

• C ranges over constant types, such as (Vset) (which has kind 
(set -»■ set) —¥ set), 

• T and U range over types, such as the type for the identity 
function (Vset)(A(£ : set) . ((■ — > -)tt), which we write as 
V(t : set)(t -»•*), 

• r ranges over contexts of the form x\ : T\ , . . . , x n :T n , and 

• M and iV range over terms, such as the polymorphic identity 
function A(t : set).A(a; : t). x, which has type V(t : set)(t— H). 

We define some shorthands: 

T^U = {-^-)TU 
\/(t:K).T = (\/K)(X(t : K) .T) 

We will often elide the kind or type annotations from bound vari- 
ables, for example writing Vt . T rather than V(i : K) . T. 
The notions of free variable (fv), free type variable (ftv), do- 
main (dom), capture-avoiding substitution (T[U/i\) and in- 
convertibility (— v ii) are standard. The type rules for System F u 
are given in Figure 2, with judgements: 

• Sho "signature E is well-formed", 

• E; T h o "with respect to E, context T is well-formed", and 

• E h T : K "with respect to E, type T has kind K", 

• E; T h M : T "with respect to E and T, term M has type T". 
For example, the identity function typechecks as: 

h V(t : set)(t-J-t) : set 

h A(t : set) . X(x :t).x: V(t : set)(t -»■ t) 

In Figure 3 and 4, we define the denotational semantics of Sys- 
tem F^ 2 where: 

• IKj e Set, 

• [E h o] e Set, 

• IE; T h oJ(A) e Set where A G [E h o], 

2 In this presentation, for simplicity we allow Set £ Set. To make this 
presentation completely formal, it should be stratified into universes, and 
set should be parametrized on a universe. This is made formal in the Agda 
proofs of correctness [20]. 



4 



2012/11/1 



Kinds 


K,L 


::= set K^L 


Signatures 


E 


::= e\p,t:K) 


Constant Types 


C 


■■■■= (-^OKV^) 


Types 


T,U 


::= C \ X(t : K) .T \ TU \ t 


Contexts 


r 


::= e\(F,x:T) 


Terms 


M,N 


::= X(x :T).M\MN\x\ A(t 



:K).M\ MT 



Figure 1. System F w syntax 



£ F O 

(.->.) 

C* : if 



Eho iG'dom(E) 
S,(:ifho 

: set — > set — > set 
: (K -> set) -> set 

S,(:if|-T:L 



EFC:if E I- A(t : X) . T : (K -»• L) 

ShT:JC-4L E F U" : if E F o (t : if) € E 
E F TU : L Shi: if 

E F o E; T F o E F T : set x ^ dom(r) 



E;e F o 
T,;T,x : T h M : U 



E;T,x:T\-o 

E:rh M :T -*•{/ E; T F TV : T 



E; T h A(x : T) . M : T — > (7 \- M N : U 

E; T F o (a : T) 6 T S,t : if ;T h M : [7 t g ftv(r) 
E . r| _ A ^.^ ,M-.y(t:K) .U 



T,;T\- x:T 



E; T F M : V(t : if) . T E F U : X E; T F M : T E F T =„^ *7 : set 
E;T F MU : T[U/t] ' E; V F M : (7 



Figure 2. System F w judgements 



• [ShT:Jr](I)€ [if] where A 6 [E F o], and 

• JE; T F M : T](A, a) G [E F T : setj(A) 
where A G [E F o] and o £ [E; T F o](A). 

For example, the identity function has semantics: 

[F V(i : set) (*-»•*) : setl() 

= ELeSet A ^ A 

[F A(t : set) . A(x : t) . a; : V(t : set)(t -> t)]() 
= A i— > a i— > a 

We have to provide some sanity checks, to ensure that this defini- 
tion is well-formed. In the semantics of E; T F At . M : Vt . T, 
there is a use of weakening, which is justified because: 

[E; r F oJ(A) = [E,t : if ;F F o](A, A) when t £ ftv(T) 

In the semantics of E; T F MT : U[T/t] there is a use of 
substitutivity, which is justified because: 

[E,i : if F t/ : Lj(A, [EFT: Kj(A)) = [E F tf[T/t] : Lj(A) 

In the semantics of E; F F M : T = n p U there is a use of ^-/in- 
equivalence, which is justified because: 

[EFT: K\{A) = [E F U : K\(A) when EFT = v p U : if 



In Figure 5 we extend the semantics of System F w types from sets 
to relations (writing A -o B for V(A x B)) where: 

• [if] 2 (A B) G Set where A, B G [if], 

• [E F o] 2 (A, S) G Set where A, S € [E F o], 

• [S;rFo] 2 (7?) G [E;rFo](i')^[E;rFo](.B) 
where TZ G [E F o] 2 (,4, B), and 

• [EFT: if] 2 (7?) G \Kf{A,B) 

where A = [E F T : if](A) and B = [E F T : if](B) 
and 7? G [E F o] 2 (I,B). 

This specializes to the usual presentation of logical relations for 
System F, in particular at function type: 

(f,g) € [E F T -»• 17 : set] 2 (7?) whenever 
(a, 6) G [E F T : set] 2 (7?) implies 
(/»,<?(&)) G [E F (7 : set] 2 (7?) 
and at polymorphic type: 

(/, fl ) G [E F \/t . Tf{TZ) whenever 

(f(A),g(B)) G [E, t : set F T : set] 2 (7?,ft) 
for every A, B and K:Af>B 
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m 


G 


Set 


[set] 


= 


Set 






[K|| -»■ [LJ 


[E h o] 




Set 


irv u oil 






[CJ 




\K \ where O : K 


111 ^ ;J 






I(VAT)1 







[EhT: Ki(A) 




[X] where A G [E h o] 






[C] 


[Eh Xt.T: K->L}(A) 




Ah>[E,t:iifl-T: £J(^,^) 


[EhT[/:L](l) 




[Shr:if^L](l)([Sh[/:L](l)) 


[Ehti rKiKl) 




A, 


[E;rho](l) 


G 


Set where Ig [Sho] 


[E;rho](l) 




[E h Ti : set](l) x • • • x [E h T n : set}(A) 



Figure 3. System F w type semantics, where E = (ti : K 1 , . . . , t m : K m ) and V = (xi : Ti, . . . , x n : T„) 

[E;ThM: TJ(A, a) G [E h T : set}(A) where A £ [Eho] and a G [E; T h oj(l) 

[E;ri- Xx.M :T^U\{A,a) = a i-> [E; r,i:ThM:[/] (A, a, a) 

lT,;T\-MN:Uj(A,d) = [E; T h M : T Uj(A, a)([E; T h iV : U}(A, a)) 

[S;rhi, :Ti](A,o) = a, 

[E;rh At. M:Vi. {/](!, a) = A ^ [E, t : K; T h M : Uj ( A, A, a) 

lE;rhMT:[/[T/(]](I,«) = [E; T h Af : V(t : T) . [7] (I, a)([E h T : Kj(A)) 

Figure 4. System expression semantics 



fK} 2 (A, B) G Set where A, B G [if] 

[set] 2 (.4,5) = (A <h» B) 

\K^Lf{F,G) = \\ nelKV ^ B) lLf{F{A),G{B)) 

[Eh«] 2 (l,B) G Set where A, B G [E h o] 

[Ehof(l,B) = [Jfi] 2 (Ai,Bi) x •■• x {K n f{A n ,B n ) 

[Cf G M 2 ([C],[C]) where C : K 

[(■^■)1 2 = ^^<S^{(/, S )|V(a,6)G^.(/(a),s(6))G«S} 

[(VF)] 2 = TZ ^ {( f, g) \ \/S e IK f (A, B).(f (A), g(B))eTZ(S)} 

[E h T : JX] 2 (7?) G [F] 2 ([EhT: Kj(A) , h T : Kj(B)) where 7? G [Ehof(l,B) 

[E h C : if] 2 (7?) = [C] 2 

\t .T : K ^ Lf(1Z) = TZ^lT,,t:K\-T:Lf(TZ,TZ) 

[E h T £/ : i] 2 (7?) = [EhT: ^^L] 2 (7?)([Ehi7 :if] 2 (7?)) 

[Eht,: /Q] 2 (7?) = 72j 

[E;rho] 2 (7?) G [E;rho](!)o[E ; rho](B)where7?G [Ehof(I,B) 

[E; T h o] 2 (7?) = [E h Ti : set] 2 (7?) x-x[EhT„: set] 2 (7?) 

Figure 5. System F w logical relations, where E = (ti : Ki, . . . ,t m ■ K m ) and V = (xi : Ti, . . . , x n : T n ) 
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For example, the relational semantics of the type of the identity 
function is: 

[hV(i : set) : setf() 

= {(f,g) \ VlZe A++ B .V(a,b) elZ . 

(f(A)(a),g(B)(b))elZ} 
e (ILteSet^^)^ 

(EUset^^) 
= [h V(t: set) (*-»•*) : set] ()<->• 
[h V(i : set)(t -»•*) : set]() 

We can verify that if i is the semantics of the polymorphic identity 
function: 

i = A i-> a i-> a 
then i is related to itself in the logical relation for its type: 

(i,i) G |P-V(t :set)(i->i) :set] 2 () 

In fact, this property is true for any System F w term, which is the 
parametricity property. 

THEOREM 1 (Parametricity of System F w ). 

TZ G [E h o] 2 (l, S) and (a, 6) G [E; T h o] 2 (7?) imp/fei 
(a, 5) £ [S h T : set] 2 (7?) w/zere 
a = [E;T h M : T}(A,a) and 
b=[E;rhM:T](B,6). 

This theorem has been mechanically verified [20]. 



4. System Fi?P w 

In this section, we define System FRP^, which extends Sys- 
tem F w with a kind time and appropriate types and expressions to 
express the order of time. We encode many of the FRP combinators 
from Section 2 in System FRP^, and state relational parametricity. 
In Section 6, parametricity is used to establish causality. 

The syntax, type judgements, and semantics of System FRP^ 
are given as an extension of System F u in Figures 6-9. We intro- 
duce a kind time of times (similar to Jelsch's [23] phantom types 
for eras), together with a type t < u for the order on time, and con- 
stants refl, trans, antisym and case which internalize the properties 
required of a total order. The semantics of System FRP^ are given 
with respect to a chosen total order (Time, <). We can then define 
the kind of reactive types as: 

rset = time — > set 

and define many of the combinators for reactive types in Sys- 
tem FRP W (although we defer [T] and UT to Section 5): 

(■) : set -> rset 

(■) = \a . Xt . a 

(■=>■) : rset — > rset — > rset 
(■=>■) = Ao . A6 . Xt . at -»• bt 

•[•,•] : rset — > time — > time — > set 

•[•,•] = Aa . As . Am . Vi . (s < t) -> (t < u) -> at 

(• > •) : rset — > rset — > rset 

(• > •) = Aa . \b . \t . Vu . a[t,u] -> b u 



These System FRP^ combinators have the same semantics as 
defined in Section 2 (in some cases up to isomorphism, written «): 

[Eh (T) : rset] (A) 

= <[EhT:set](A)) 
[E \-T^U : rset] (A) 

= [E h T : rset] (A) [E h U : rset] (A) 
[E h T[t,u] : set] (A) 

« [E h T : rset] (A) [IE h i : time] (4), [E h it : time] (A)] 
IE h T> [7 : rset] (A) 

« IE h T : rset] (A) > [E h U : rset] (A) 
There is a canonical singleton interval: 

sing : Va . Vs . as — >■ a[s, s] 

sing = Aa . As . Aa; . At . As<t . Ai<s . 
antisym ast s<t t<s x 

and intervals can be concatenated: 

concat : Vo . Vs . Vt . Vu . a[s, t] — ¥ a[t, u] — ¥ a[s, u] 

concat = Aa . As . At . Au . Xa . Xt . Av . Xs<v . Xv<u . 
case(aw) v t 

(Xv<t . a v s<v v<t) 
(Xt<v . t v t<v v<u) 

Let T be the trivial reactive set: 

T(t) = {*} 

Since T is trivial, we have that T[s, it] is also trivial: 
T[s,it] « {*} 

We have that logical relations over T identify subsets of Time: 
Irset] 2 (T,T) = n KeItlme F( s .t)Nt] 2 (T(s), T(t)) 

= n s jw«T(i) 

= nj(i)«T(() 

= aw^w 

w P(Time) 

In the same way as for System F u , we can show that the seman- 
tics of System FRP^ respects weakening, substitutivity and ^-/in- 
equivalence, and that System FRP^ satisfies parametricity. 

THEOREM 2 (Parametricity of System FRP^). 

TZ G IE h of (A, B) and (a, b) G [E; T h of (11) implies 

(a, b) G IE h T : set] 2 (TZ) where 

a = [E;T h M : T](A,a) and 

6=IE;rhM : r](B,6). 

This theorem has been mechanically verified [20]. 

5. Signals 

In this section, we show how System FRP^ can be used to define 
signals, in such a way that all implementable functions are causal. 

The key observation is that we consider System FRP^ types 
with a chosen free type variable k : rset. This type variable is al- 
ways instantiated as the trivial reactive set T, but parametricity en- 
sures that programs cannot instantiate n(t) directly. Thus, variables 
of type n(t) can be used as tokens, which allow access to signals 
at time t. If causality is thought of as an information flow property, 
then k(£) can be thought of as the type of capabilities for t. 



7 



2012/11/1 



[time] = Time 



Kinds K, L ::= ■•■ time 

Constant Types C ::= •••!(•<•) 

Constant Terms c ::= refl J trans | antisym | case 

Terms M, N ::= ••• | c 

Figure 6. System FRP^ syntactic extensions of System F w 

S;rho c:T 
E; T h c : T 

(■ < ■) : time —¥ time — > set 

refl : Wt.(t<t) 

trans : Vs . Vi . \fu . (s < t) -> (t < it) -> (s < w) 

antisym : Va . Vt . Vu . (t < u) — > (u < t) — > a t — > a u 

case : Va . Vt . Vu . ((t < u) — > a) — > ((u < t) — > a) — > a 

Figure 7. System FRP^ judgements 



{*} if t < u 



otherwise 



Figure 8. System FRP U type semantics 



[time] 2 (i,it) = 
[E h (•<•)] 2 (£) = 



{*} ift = u 
0 otherwise 

* i— > * i— > {(*, *)} 



Figure 9. System FRP^ logical relations 

[E; T h c : T] (A, a) = [c] 

[c] G [h T : set] where c : T 

[refl] = £ * 

[trans] = s i — >- * i — >- i — >- * i — »- * i — >- * 

[antisym] = yli->(nii^*i->*i->ai->fl 

f if t < it 

[case] = Ai->-ti->-iii-J-gi-j-/ii-M , , n 

^ Ai(*) otherwise 

Figure 10. System FRP^ expression semantics 



Define E h K T : A" to mean that T has kind if in type context 
E together with k : rset, and similarly for the other judgements: 

(E h K T : K) = (k : rset, E h T : if) 
(ETKo) = (k : rset, E;T h o) 
(E; r h K M : T) = (k : rset, E; T h M : T) 

Define [E h K T : A"] re to be the semantics of T, where n is 
instantiated as the trivial reactive set T, and similarly for the other 
judgements: 

{Y.h K T:K\ K (A) = {K:rs<*,Y,hT:K\{T,A) 
P;rh„o] K (i) = Ik : rset, E; T h o] (T, A) 
$P;T\- K M:T\ K {A,S) = [«;:rset,E;rr-M:T](T,A,o) 

Note that we do not provide a similar definition of logical relations 
[E \- K T : K\ 2 K , which would instantiate k by the trivial logical 
relation. Instead, we allow k to be instantiated by any logical 
relation TZ £ [rset] 2 (T, T) . As we have seen, such logical relations 
identify subsets of Time, which we can think of as the times a 
program is allowed access to. In Section 6, we use this to show 
that parametricity implies causality. 

The presence of k allows us to define the reactive type UT to 
be n > T. A witness of OT(s) is a witness for T(t) for any s < t, 
assuming a capability for [s,i\. Similarly, a witness for [T] is given 
by a witness for T t, assuming a capability for t: 

[■] : rset -> set 

[■] = Aa . Vt . Kt-> at 

□ : rset — > rset 

□ = Aa . k > a 



In particular, since k is instantiated by T, we have the promised 
isomorphism between UT and the temporal global future modality: 

[E \~ K UT: rset] K (A)( S ) 
= [E h K k>T : rset} K {A)(s) 
w ([S h K k : rset] K (l) > [E K T : rset] K (l))(s) 
= (T>[E KT: rset] K (A))( S ) 
= n t > s T[ S , i ]->[Er- K T:rset] K (A)( i ) 
«II«>.P h K T : rset] K (A)(t) 
= D([E h K T : rset] K (A))(s) 

There is a similar proof of the isomorphism between [T] and tem- 
poral tautologies. Note, however, that these isomorphisms are not 
parametric in k, and so cannot be implemented in System FRP^ . 
We can give □ functorial structure by defining: 

map : Va . V6 . [a b] -J- [Do □&] 

map = Aa . Ab . Xf . As . Xj . Xa . At . Xs<t . \k . 
ft{ats<tk) 

and give □ comonadic structure by defining: 

<5 : Va . [Do => COa] 

8 = Aa . As . Xj . Xa . At . Xs<t . Xk . Au . Xt<u . XI . 
a u (trans stu s<t t<u) (concat K,stuk£) 

£ : Va . [Do a] 

£ = Aa . As . Xk . Xa . 

a s (refl s)(sing k s k) 

Note that the definition of S shows that System FRP^ can imple- 
ment functions which are deep causal, but not shallow causal. We 
cannot, however, define the "predicting the future" function in Sys- 
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tem FRPu- An attempt is (assuming a (■ + 1) function on time): 

4> : Va .[□(a) =>■ □ (a)] 

0 = Aa.As. Aj. Act. At. \s<t . Xk . a(t + 1)(- •■)(?) 

but there is no way to fill in the hole of type k[s, t + 1]; we can use 
A: : k[s, t], but there is no way to fill the gap of type n{t, t + 1]. 

6. Causality 

We can now formally define causality, and show that parametric- 
ity implies causality. For simplicity, we will consider causality for 
monomorphic types, although we expect the results could be ex- 
tended to polymorphic types. 

When \- K T : set and a, b € [h K T : set] K and u G Time, 
define the (deep) causal equivalence T \= a = u b as: 

(s < t) 1= * —u * 

always 

T^U^ f= u g 

whenever U \= f(a) = u g(b) for any T \= a =„ b 

□ T(s) 1= <T =„ T 

whenever T(t) 1= cr(i) = u r(t) for any s < i < w 

[T] \= a — u t 
whenever T(s) \= cr(s) = u r(s) for any s 

We then define / G [h K T — >• £/ : set] K to be (deep) causal 
whenever: 

U \= f(a) = u f(b) for all T 1= a = u b 
or equivalently: 

T^Utf= u f 

Causal equivalence is an instance of parametricity, as can be shown 
by constructing a logical relation T„ as: 

Tl : [rset] 2 (T,T) 

= n^ Itim e F ( s ,t)Nt] 2 (T( S ),T(t)) 

= n s=t ({*}^{*» 

Tl = (s = t)^l if t ^ U 
u v y [ 0 otherwise 

We can then show that the logical relation generated by T 2 is 
exactly = u . 

Proposition 3. T 1= a = u b iff (a, b) e T : set] 2 ^ 2 ). 

From this, and parametricity of System FRP^, we have that every 
function implementable in System FRP^ is deep causal. 

THEOREM 4. Every [h K M : T U\ K is causal. 

This theorem has been mechanically verified [20]. 

7. Implementation in Agda 

Figure 1 1 shows some simple applications running in a browser. 
These are implemented in Agda, using a classic FRP library whose 
semantics is given in the style of this paper [19]. There is a match- 
ing compiler to ECMAScript, and a run-time system implementing 
FRP (which uses the idiomatic HTML5 event model, and an ob- 
server pattern for event notification). For example, the clock appli- 
cation is defined: 

main = text(map toUTCString(every(l sec))) 

where: 



• every(l sec) is a signal of Time, which changes value every 
second, 

• map f(a) applies a function / : A— >B to a signal a of A to get 
a signal of B, in this case / is toUTCString : Time — > String, 
and 

• text(cr) converts a signal a of String to a signal of DOM nodes. 

The types of these combinators are (ignoring some technical issues 
about the type for DOM nodes): 



every 
map 
text 



Delay -»■ [□(Time)] 

[A B] -> [UA UB] 

[□(String) => DDOM] 



which gives the type of main as [nDOM], that is a signal of DOM 
nodes, suitable for rendering in a browser. 

The library makes use of Agda's system for inferring optional 
arguments. A function \{x : A} . M has type V{a; : A} .T when- 
ever M has type T. A function M : V{x : A} . B can be applied 
to an argument N : A to give a result M{N} : B[N/x]. Agda 
will infer optional arguments if they are not provided explicitly 3 . 
We use optional arguments in defining [■]: 

[•] : rset — >• rset 
[•] = Aa.V{t} .V{fc : Ki} .at 
So, making the optional arguments explicit, main is defined: 
main = 

A{i} . A{fc} . 
text{t}{fe} 
(map 

(\{u} . \{£} . toUTCString) 

{t}{k} 

(every(lsec){t}{fc})) 
which type checks since: 
main : [nDOM] = V{t} . V{fc} . (□DOM(t)) 
main = \{t} . Mi 
Mi : nDOM(t) 
Mi = M 2 {t}{fc}(M 3 ) 
M 2 : [□(String) => nDOM] 

= V{t} . V{fc} . (□(String)(t) -> nDOM(t)) 

M 2 = text 

M 3 : □ (String) (t) 

M 3 = M 4 {t}{fc}(M 6 ) 

M 4 : [□(Time) □(String)] 

= V{t} . V{fc} . (□(Time)(t) -> □(String)(t)) 

M 4 = mapM 5 

M 5 : [(Time) => (String)] 

= V{w} . V{^} . (Time -»■ String) 

M 5 = \{u} . . toUTCString 

M 6 : □(Time)(t) 

M 6 = M 7 {t}{k} 

M 7 : [□(Time)] = V{t} . V{fc} . n(Time){t} 

Mt = every(lsec) 



3 In this paper, we are eliding the difference between implicit arguments 
and instance arguments, since they only differ in the algorithm used to infer 
missing arguments. 
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Figure 11. Example Agda programs running in the browser 



Under the hood, the reactive type OA is implemented in ECMA- 
Script, with an FFI binding to Agda. The implementation is based 
on Acar's [1] self-adjusting computation. Each signal is imple- 
mented as a node in a dataflow graph, which memoizes its current 
state. When a node changes state, it sends a notification to each of 
its downstream neighbours, which in turn may send further down- 
stream notifications. 

A simple application of the observer pattern results in glitches, 
which are notifications of transitory incorrect values. For example, 
in the dataflow graph for the expression x — -ix, a state change to 
x sends a notification to the = node and the -i node. If the = node 
were to process the notification first, it would read a stale value 
from the -i node, so send a glitchy notification that its state is true. 

To avoid glitches, we adopt a variant of Acar's technique [1], 
which is also used in [8, 10, 28]. Each node is ranked, such that ev- 
ery node has smaller rank than its observers. The run time system 
ensures that notifications are processed in rank order, which pre- 
vents glitches. For example, in the graph for x — -<x, the = node 
would be ranked greater than the -i node, so the -i node processes 
its notification before the = node. 

Each node in the dataflow graph maintains a set of pointers to its 
downstream observers, which has an impact on garbage collection, 
since these pointers may keep nodes alive unnecessarily. Since 
ECMAScript does not support weak pointers, we use a reference- 
counting scheme to remove any nodes with no observers. To ensure 
safety of this scheme, we maintain an invariant for any node of type 
nA(s), that after time s, we never add new observers, only remove 
them, so it is safe to remove a node which has no observers after 
time s. This garbage collection scheme is essentially the same as 
Jeltsch [23], but uses Agda's dependent types to express reactive 
types as temporal logic formulae, rather than relying on Haskell 
phantom types. 

As well as an FRP implementation for GUI programming, the 
agda-frp-js library contains mechanizations of the theorems of this 
paper [20]. The definitions are essentially as given in this paper: the 
main differences are the use of de Bruijn indices for variables, and 
universe levels to avoid Set G Set. 

The implementation of the FRP library and the compiler from 
Agda to ECMAScript is discussed in more detail in [22]. 



8. Conclusions and further work 

In this paper, we have shown that for programs written in Sys- 
tem FRPu, a kernel language for Haskell extended with time, every 
program is parametric. Moreover, we have shown that any paramet- 
ric function is deep causal, and so every function implemented in 
System FRP^ is deep causal. This allows programmers to write 
signal functions directly, rather than using an arrowized interface, 
without sacrificing causality. It provides the formal basis of the 
agda-frp-js [19] FRP library, which allows provably correct appli- 
cations to run in a browser. This work leaves open some questions. 

In this paper, we have considered System FRP^, which is the 
core of FRP programming in Haskell. System FRP^is missing 
some important features, notably tagged unions, recursion and re- 
cursive types. We expect that tagged unions and recursion would 
not be problematic, but recursive types would introduce problems 
in the proofs that proceed by induction on type. Also, we have given 
a definition of causality for monotypes, and this should be general- 
ized to polytypes. 

We have not discussed the expressive power of System FRP^, 
and in particular, the existence of loop combinators. Currently 
System FRP^ has no capabilities for induction over time; for 
discrete time models, such an induction combinator could be typed: 

Va . Vs . (Vt . (s < t) -» a[s, i) ->• at) ->• (Vt . [s < t) ->• a t) 

We expect that such an induction combinator would preserve para- 
metricity, and could be used to implement fixed points of type: 

Va . \{Ua =► Ha) =>■ Da] 

where □ is the type of decoupled signals: 

□ : rset — > rset 

□ = Aa . k > a 

where A > B is the strict constrains modality: 

(■ > ■) : rset — > rset — > rset 

(• > ■) = Aa.A6.Ai. Vu . a[t, u) bu 
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which is defined in terms of semi-open intervals: 
•[•,•) : rset — > time — > time — > set 

•[•, •) = Ao . As . Aw . V£ . (s < t) -¥ (t < u) -+at 

This would allow us to statically track coupled and decoupled 
signals, giving some of the power of Nilsson and Sculthorpe's [37] 
decoupling matrices. 

The style of causality used here is non-monotone in that at 
function type the definition is: 

T^Utf= u g 

whenever U \= f(a) = u g(b) for any T \= a = u b 

which is not monotone in u. A Kripke-style definition would be: 

T->E/l=/=„ g 

whenever U \= f(a) = t gib) for any T \= a = t b and t < u 

which is monotone in u. We never required monotonicity in our 
results, but it might be interesting to explore the relationship be- 
tween causality and Kripke logical relations. As a special case, 
step-indexing [3] may shed light on FRP's loop combinators. 

Acknowledgements. Many thanks to the anonymous referees 
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